[Snort-users] tcpdump script

Nathaniel Richmond nate+snort at ...14258...
Wed Apr 8 13:22:11 EDT 2009


Nigel Houghton wrote:

> Quoting Leon to make it clear what he actually stated:
>
> "The method I use is to keep a limited cache of network traffic via
> tcpdump's ringbuffer mode, a few 100MB of pcap data. When Snort
> raises
> an alert, a process automatically kicks off that extracts the
> session
> that caused the alert from the ringbuffer and stores it for
> prosperity."
>
> In short, Leon is not using Snort to grab the packets. He is getting
> full session data for the event and IMNSHO he's doing it elegantly.
>
> p.s. *Everyone* should have upgraded to Snort 2.8.4 already, if not,
> do it now.
>

Nigel, I understand. I was trying to point out that there can be
value in capturing more sessions than just the one that triggered
the alert.

The Snort 2.8.4 upgrade process was relatively painless.




More information about the Snort-users mailing list